OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web, openpkg-src Date: 16-Dec-2002 13:39:36
Branch: HEAD Handle: 2002121612393501
Added files:
openpkg-src/wget wget.patch
Modified files:
openpkg-src/wget wget.spec
openpkg-web news.txt
Log:
include security patches
Summary:
Revision Changes Path
1.1 +89 -0 openpkg-src/wget/wget.patch
1.24 +3 -1 openpkg-src/wget/wget.spec
1.2289 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
Index: openpkg-src/wget/wget.patch
============================================================
$ cvs update -p -r1.1 wget.patch
diff -urN wget-1.8.2/src/fnmatch.c wget-1.8.2_save/src/fnmatch.c
--- wget-1.8.2/src/fnmatch.c Sat May 18 05:05:15 2002
+++ wget-1.8.2_save/src/fnmatch.c Fri Oct 4 14:53:40 2002
@@ -198,6 +198,17 @@
return (FNM_NOMATCH);
}
+/* Return non-zero if S has a leading '/' or contains '../' */
+int
+has_invalid_name (const char *s)
+{
+ if (*s == '/')
+ return 1;
+ if (strstr(s, "../") != 0)
+ return 1;
+ return 0;
+}
+
/* Return non-zero if S contains globbing wildcards (`*', `?', `[' or
`]'). */
int
diff -urN wget-1.8.2/src/ftp.c wget-1.8.2_save/src/ftp.c
--- wget-1.8.2/src/ftp.c Sat May 18 05:05:16 2002
+++ wget-1.8.2_save/src/ftp.c Fri Oct 4 15:07:22 2002
@@ -1551,6 +1551,8 @@
{
struct fileinfo *orig, *start;
uerr_t res;
+ struct fileinfo *f;
+
con->cmd |= LEAVE_PENDING;
@@ -1562,8 +1564,7 @@
opt.accepts and opt.rejects. */
if (opt.accepts || opt.rejects)
{
- struct fileinfo *f = orig;
-
+ f = orig;
while (f)
{
if (f->type != FT_DIRECTORY && !acceptable (f->name))
@@ -1575,6 +1576,18 @@
f = f->next;
}
}
+ /* Remove all files with possible harmful names */
+ f = orig;
+ while (f)
+ {
+ if (has_invalid_name(f->name))
+ {
+ logprintf (LOG_VERBOSE, _("Rejecting `%s'.\n"), f->name);
+ f = delelement (f, &start);
+ }
+ else
+ f = f->next;
+ }
/* Now weed out the files that do not match our globbing pattern.
If we are dealing with a globbing pattern, that is. */
if (*u->file && (action == GLOBALL || action == GETONE))
--- wget-1.8.2/src/url.c.fpons 2002-09-04 16:16:52.000000000 +0200
+++ wget-1.8.2/src/url.c 2002-09-04 16:32:14.000000000 +0200
@@ -499,14 +499,18 @@
int
url_skip_uname (const char *url)
{
- const char *p;
+ const char *p, *pp;
- /* Look for '@' that comes before '/' or '?'. */
- p = (const char *)strpbrk (url, "/?@");
- if (!p || *p != '@')
- return 0;
+ /* Look for last '@' that comes before '/' or '?'. */
+ pp = url;
+ while ((p = (const char *)strpbrk (pp, "/?@")) != NULL) {
+ if (*p != '@')
+ break;
+ /* Found '@' character so go on with possible next '@'. */
+ pp = p + 1;
+ }
- return p - url + 1;
+ return pp != url ? pp - url: 0;
}
static int
Index: openpkg-src/wget/wget.spec
============================================================
$ cvs diff -u -r1.23 -r1.24 wget.spec
--- openpkg-src/wget/wget.spec 6 Dec 2002 18:32:53 -0000 1.23
+++ openpkg-src/wget/wget.spec 16 Dec 2002 12:39:36 -0000 1.24
@@ -33,10 +33,11 @@
Group: Web
License: GPL
Version: 1.8.2
-Release: 20021206
+Release: 20021216
# list of sources
Source0: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
+Patch0: wget.patch
# build information
Prefix: %{l_prefix}
@@ -54,6 +55,7 @@
%prep
%setup -q
+ %patch -p1
%build
CC="%{l_cc}" \
Index: openpkg-web/news.txt
============================================================
$ cvs diff -u -r1.2288 -r1.2289 news.txt
--- openpkg-web/news.txt 16 Dec 2002 11:26:30 -0000 1.2288
+++ openpkg-web/news.txt 16 Dec 2002 12:39:35 -0000 1.2289
@@ -1,3 +1,4 @@
+16-Dec-2002: Upgraded package: P<wget-1.8.2-20021216>
16-Dec-2002: Upgraded package: P<lynx-2.8.4-20021216>
16-Dec-2002: Upgraded package: P<perl-5.8.0-20021216>
15-Dec-2002: Upgraded package: P<perl-xml-20021215-20021215>
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
